Professional Documents
Culture Documents
PDF Sec501 6 Data Loss Prevention Eric Cole Ebook Full Chapter
PDF Sec501 6 Data Loss Prevention Eric Cole Ebook Full Chapter
Cole
Visit to download the full and correct content document:
https://textbookfull.com/product/sec501-6-data-loss-prevention-eric-cole/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
https://textbookfull.com/product/security-and-loss-
prevention-7th-edition-philip-p-purpura/
https://textbookfull.com/product/legal-liabilities-in-safety-and-
loss-prevention-3rd-edition-thomas-d-schneid/
https://textbookfull.com/product/loss-data-analysis-the-maximum-
entropy-approach-1st-edition-henryk-gzyl/
https://textbookfull.com/product/student-solutions-manual-to-
accompany-loss-models-from-data-to-decisions-klugman/
Broken Lyssa Cole
https://textbookfull.com/product/broken-lyssa-cole/
https://textbookfull.com/product/working-as-a-data-librarian-a-
practical-guide-eric-o-johnson/
https://textbookfull.com/product/all-i-want-for-christmas-is-
drew-1st-edition-lila-cole-cole/
https://textbookfull.com/product/arrogant-assassin-hero-club-1st-
edition-lyssa-cole-hero-club-cole-lyssa/
https://textbookfull.com/product/pow-mia-accounting-paul-m-cole/
| A D V A N C E D SECURITY ESSENTIALS - ENTERPRISE DEFENDER
Loss Prevention
Data Loss Prevention (DLP)
2 © 2 0 1 6 Dr. Cole
Introduction to Data Loss
Prevention
• Protection of information:
- Data in transit
- Data at rest
- Data classification
• Overall information protection and risk program
The following slides are designed to discuss and clarify the risk management process.
Security professionals must understand that the purpose of the organization is to fulfill its mission.
The purpose of a security professional is to help the business make informed decisions about security
issues that could potentially compromise the organization's mission.
A great primer to risk analysis and risk management is found in NIST's Special Publication 800-30:
Risk Management Guide for Information Technology
[1]
501 Essentials
Appreciate that although the definition looks fairly general, it is actually particular. Risk is calculated
for particular threat/vulnerability pairs.
On the surface the definition Risk = Threat x Vulnerability appears fairly simplistic and
straightforward. However, actually calculating values can be quite challenging. To appreciate these
challenges, we will parse the underlying concepts of threat and vulnerability and also fill in some gaps
in this oversimplified definition.
In addition, there are important factors that inform the definition that are omitted in this simplistic
definition, as we will see.
These straightforward questions illustrate most of what is done in risk analysis and risk management.
Now we turn our attention to parse the more technical side of these questions.
Threats
The first item in our definition to be parsed is the concept of a threat. A threat is simply something that
can bring harm to an information system. Though our simplistic definition doesn't include this element,
there is always a threat-source (aka threat-agent) that serves as the cause of the threat.
Let's use an example threat statement. Our web server will be DoSed via a server-side attack against the
vulnerability associated with 1-100.
1-100 is a patch for a vulnerability in ASP.NET that allowed a DoS to be introduced by targeting
ASP.NET's hash table generation for POST variables. This attack would be most likely be carried out by
sending an HTTP POST with an extremely large number of POST variables set to introduce a hash
collision.
The threat is a denial of service condition on a web server. The threat remains regardless if this particular
vulnerability exists on the web server. The risk for this particular threat vulnerability pair would be likely
eliminated if the patch were successfully deployed.
We do not see anything about the threat source in the threat statement. It is actually fairly common for
organizations to ignore the threat sources. However, the threat source becomes especially important when
we try to determine another key concept, likelihood, which will be reviewed later. Key questions
concerning the threat source are whether the source is motivated and whether the source is capable of
introducing this threat.
Vulnerabilities
Even if there are numerous motivated threat agents and there is no vulnerability, there is no risk. In the
previous threat statement, "Our web server will be DoSed via a server-side attack against the vulnerability
associated with 1-100," a vulnerability is mentioned. If we are not vulnerable to the vulnerability
associated with 1-100, then we have no risk.
Potential ways in which this vulnerability would not exist include the server is patched; the server is not
using IIS; the server is using IIS, but not ASP.NET; and the server is not Windows-based. Again, these are
potential ways in which the vulnerability might not be present and is not necessarily true of
So, to not have any risk all, we have to do is have zero vulnerabilities. Sounds straightforward enough.
Run a vulnerability scanner. Get everything patched. What is so hard about that?
10 © 2 0 1 6 Dr. Cole
Types of Vulnerabilities
• Everyone would prefer to have no vulnerabilities
and therefore have no risk
• For third-party systems/applications vendors
release security advisories and patches:
- Known vulnerabilities with known patches
- The vulnerability already existed before the advisory;
you just didn't know about it
• Zero-day vulnerabilities are those not publicly
known
- Targeted with zero-day exploits
501 Advanced Security Essentials
Types of Vulnerabilities
Although in theory patching every vulnerability might sound possible, reality is a different case. Patching
Microsoft vulnerabilities is easier than almost all other vendors, and yet organizations are still often
compromised by exploitation of these vulnerabilities. Then realize that the organization has to patch
every known flaw on every system (including printers, access control systems, HVAC, and such).
Sounds pretty tough, yet even if an organization were successful in patching everything, it would still
have exploitable vulnerabilities.
Even if you patch everything you know to patch, you have still failed. Why? Those vulnerabilities that
we patch (sometimes >10 years after the OS/application's release date) existed long before we ever had a
patch. Someone, even if it were just the vendor, was aware of the issue in advance of the patch's release.
Vulnerabilities for which there are no patches are known as Oday or zero-day vulnerabilities.
Although it is unlikely that your organization will be targeted with a zero-day vulnerability (outside of
custom applications), these vulnerabilities exist. What is the point? Why do we care? We need to
appreciate that a modern information system's risk is never practically ever going to be zero.
Exploits
Having already used this term, the meaning of an exploit is likely clear. An exploit is the means by
which a threat exercises a vulnerability. An attacker (threat source) exploits a vulnerability. In
addition to exploit used as a verb for understanding the risk equation, it is also necessary to
understand the term, exploit code. Exploit code is source or binary code that eases the ability for an
attacker to exploit a vulnerability.
When the concept of vulnerability scoring is introduced later, the existence of publicly available
exploit code is one of the items that can increase a vulnerability's overall score.
Another concept related to exploits and exploitation is that of a payload. The payload, in exploitation
terminology, is what action the attacker wants to carry out as a result of the exploitation. Getting a
shell, adding a user, and files are some examples of loads. Payloads are part of the
post-exploitation portion of an attack.
ms04_007_kiUbiU.rb
rb
negotiate tunc
rb rb vncinject.rb
x64
As can be seen in the upper screen shot, these exploits are tied directly to particular Microsoft SMB
vulnerabilities that have available patches.
In the lower screen shot, we see a few options of what actions the attacker might trigger: command
shell access; VNC (remote GUI) access, uploading and executing a binary of the attacker's choosing;
and the incredibly advanced Meterpreter payload.
For additional information on the outstanding open source Metasploit project, see
Advanced
Likelihood
Merely understanding the concepts of threat and vulnerability is not sufficient for performing risk
assessments. Likelihood is another key concept that helps inform our risk management.
Likelihood assessments attempt to determine how likely successful exploitation of the vulnerability
will be. Several factors inform the likelihood of successful exploitation. These factors include threat
motivation; threat capabilities; ease of exploitation; and existing controls and countermeasures.
Understanding how likely a scenario is can help to determine what an appropriate risk-based
response will entail. The more likely a scenario, the greater the risk.
Impact
A final concept for understanding the risk equation is that of impact. In addition to the likelihood,
impact is a critically important concept for determining risk that is not overtly stated in the simplistic
Risk = Threat x Vulnerability equation.
Impact attempts to determine what the outcome of successful exploitation would be. Impact
determination will necessarily take into consideration the information system in question as well as
the data housed or processed by the information system.
The importance of impact is obvious. Two systems with the same vulnerability, accessibility, and
subject to the same threat characteristics will not always warrant the same level of response from a
security-perspective. The system's to the organization will make a significant difference
when determining what countermeasures are ultimately employed.
Risk Analysis
Now that the basic concepts that support the definition of risk are understood, we turn our attention
to the process of risk analysis. We don't simply calculate risk to know our level of risk. We analyze
risk so that we can understand it and make informed decisions about whether and which
countermeasures need to be employed.
The two primary approaches to risk analysis are the quantitative approach and the qualitative
approach. There is no right approach, as each has its own merits.
16 © 2 0 1 6 Dr. Cole
Quantitative Risk Analysis
Quantitative Risk
Quantitative risk analysis is often thought to be preferable by those in business but is not always the
best approach for an organization.
As expected, quantitative analysis is numerically based and is almost always tied directly back to
money. For example, impact determination would be characterized by the cost to the business. Tying
the results of risk analysis back to dollars and cents is quite appealing for most organizations.
However, performing a thorough analysis that yields honest calculations can be quite difficult for
almost every organization. Determining with fidelity the value of the inputs into the risk equation is
terribly problematic. And unlike many other industries' risk-based metrics, information security data
is notoriously lacking and inconsistent.
© 2 0 1 6 Dr. Cole
Quantitative Formulas
Quantitative Formulas
Quantitative risk analysis focuses on numbers, bringing with it a number of formulas and metrics that
should be understood. The following are some of the key formulas used:
Additional calculations that are important to quantitative risk analysis as well as to other general
security considerations are:
• Qualitative analysis:
- Not as overtly tied to dollar amounts
associated with potential losses
- Considerably easier to calculate for most
environments
• Businesses might not consider as valuable
because of the lack of explicit dollar amounts
• Useful for prioritization of risks to be addressed
Qualitative Analysis
On the other end of the spectrum from quantitative risk analysis is qualitative risk analysis. The focus
of qualitative risk analysis is not to produce detailed numbers directly related to actual monetary
figures.
Qualitative analysis is not as focused on precise calculations of money, which can make it
considerably easier to calculate. However, many businesses prefer the quantitative analysis's focus
on money, as it is far easier to plug those numbers into budgets and projections.
Still, qualitative risk analysis should not be ignored simply because businesses would prefer to get
dollar amounts. The truth is, a lot of the dollar amounts determined by quantitative analysis are often
wild guesses. Given the relative ease with which qualitative analysis can be performed, it might
actually be preferable.
Low 1 2 3
Qualitative RA Matrix
One of the key tools for performing qualitative risk analysis is the Risk Matrix. The Risk Matrix
illustrates the continuum of risk (in this case from high to low) by plotting the Likelihood and Impact
associated with a threat vulnerability pair.
Will populating the Risk Matrix yield dollar amounts associated with impacts that can be used
directly in ROI calculations? No. But if your goal is to identify the most significant risks to an
organization, this simple tool can prove extremely effective.
20 Dr. Cole
Qualitative versus Quantitative RA
SEC Essentials
Easier to perform
© 2 0 1 6 Dr. Cole
Risk Management
Risk Management
As previously discussed in the introduction to risk, much of security professionals' jobs are centered
on dealing with issues of risk management. To that end, risk analysis is a key process that the
security professional needs to know.
Though we have already discussed quantitative and qualitative risk analysis, we will continue
reviewing risk analysis in more detail. Ultimately, the goal of analyzing risk is to understand the
current state of risk and make informed decisions about where items need additional scrutiny.
• Risk must take into account the context of the organization and
system
• Not all vulnerabilities are created equal
- Even when it is the exact same vulnerability
• An effective risk reduction strategy needs to prioritize which
risks are reduced and how:
- Should all vulnerabilities for a critical system be remediated first?
- Should a commonly occurring vulnerability throughout the
enterprise be remediated first?
• Approach depends on the business and potential impact
Effective risk management must prioritize a risk reduction strategy taking into account all the inputs
into the risk analysis equation as well as the time and cost to implement countermeasures capable of
eliminating or reducing risks to an acceptable level.
© 2 0 1 6 Dr. Cole
Asset Identification
Advanced Essentials
Asset Identification
To manage risk, the risks must be understood. For the risks to be understood, we have to appreciate
the assets on which the vulnerabilities exist. Asset identification is a key phase of the risk analysis
process.
Simply having an accurate inventory of information systems proves difficult for many organizations,
let alone understanding the impact was the information system to be compromised. If too onerous,
organizations would do well to first focus on asset identification for critical information systems.
24 Dr. Cole
Asset Evaluation
Asset Evaluation
Beyond merely identifying the information systems that exist in an organization, their role needs to
be appreciated.
An additional consideration is to appreciate the lack of certainty associated with the answers to these
questions. This inherent uncertainty is one of the major challenges associated with quantitative
analysis.
Thankfully, some of the data can be reused after calculating once, but this is still an onerous process.
Obviously, to understand a system's risk requires a detailed understanding of the asset's role and
value to the organization first. This information will inform us about the potential impact associated
with exploitation of vulnerabilities affecting this system.
501 Essentials
Risk Determination
Now that all the components have been identified and analyzed, actual risk determination can be
performed.
Risk = Threat x Vulnerability sure looks like a simple formula, but now we can appreciate all that goes
into this calculation.
Threat involves understanding threat sources, their motivations and capabilities. Also we have to
understand particular vulnerabilities and the likelihood of successful exploitation. Presuming successful
exploitation, we must understand CIA impacts. We must also assess the current controls that could limit
the impact or decrease the likelihood. With all this, we can now perform the risk calculation for each
particular vulnerability on each system. Then we just have to aggregate the scores ... and, finally,
determine overall risk. And then, we get to do something about it, or not.
Excessive Risk
So, you have spent many sleepless nights and finally completed the individual and overall risk analysis.
Management will review and determine whether the determined risk level is acceptable. If not, then the
risk is excessive, which doesn't mean a lot of risk, but rather simply that the risk exceeds acceptable
levels.
If risk is determined to be excessive, the organization must determine what the response will be. There
are several different valid responses. Many expect that the default response to excessive risk would
simply be to decrease the risk directly. This is one, but not the only, valid response to excess risk.